The proposed “Hack Back” bill is officially called the Active Cyber Defense Certainty Act (ACDC) to allow organizations who are victims of hackers to take aggressive action in defense. While this may sound like a positive step in the fight against cyber crime, there are also considerations:

  1. What is considered “self-defense”, and when exactly can this step be taken?  The concept of “standing your ground” is cited in the bill, but each state has different definitions for defending physical property or family members, so you’ll have to be sure you understand when you can legally take action and what actions you can take to “hack back.”
  2. Will you need to inform law enforcement?  While not yet answered, the implication is that you should inform law enforcement, partly to protect your organization from being seen as taking illegal action by hacking and also to share information that could help law enforcement agencies recognize similar attacks, and potentially identify attackers.
  3. How reliable is the information on the attack?  Can you determine with certainty who to counter-attack without risk of hacking another innocent party?
  4. Are you sufficiently prepared to attack back?  It takes technology and the know-how to launch a counter-attack.  If you don’t have this experience, don’t try it.
  5. What do you hope to gain by attacking back?  You’re not likely to be able to bring a hacker to justice this way, so if you can simply stop the attack and make them move on, that’s likely the better business decision.

It will be interesting to see if the active defense bill does pass, and how it plays out legally for the early adopters who attempt an offensive defense approach.  Meanwhile, most would be best served by good cyber hygiene – test for vulnerabilities, patch them promptly, and be prepared to detect and respond to incidents.